Handle creation of ConfidentialClusters

Previous setup had a watcher on cocl objects, but did nothing with it
and just assumed one would be present. Instead, run installations when
=1 cocl is present.

Signed-off-by: Jakob Naucke <jnaucke@redhat.com>

Author: Jakob-Naucke

operator/src/lib.rs

@@ -9,7 +9,9 @@
 // Use in other crates is not an intended purpose.
 
 use kube::{Client, runtime::controller::Action};
-use std::{fmt::Display, sync::Arc, time::Duration};
+use log::info;
+use std::fmt::{Debug, Display};
+use std::{sync::Arc, time::Duration};
 
 #[derive(Clone)]
 pub struct RvContextData {
@@ -30,6 +32,13 @@ pub fn controller_error_policy<R, E: Display, C>(_obj: Arc<R>, error: &E, _ctx:
     Action::requeue(Duration::from_secs(60))
 }
 
+pub async fn controller_info<T: Debug, E: Debug>(res: Result<T, E>) {
+    match res {
+        Ok(o) => info!("reconciled {o:?}"),
+        Err(e) => info!("reconcile failed: {e:?}"),
+    }
+}
+
 #[macro_export]
 macro_rules! info_if_exists {
     ($result:ident, $resource_type:literal, $resource_name:expr) => {

operator/src/main.rs

@@ -6,61 +6,51 @@
 use std::sync::Arc;
 use std::time::Duration;
 
-use anyhow::{Result, bail};
+use anyhow::Result;
 use env_logger::Env;
 use futures_util::StreamExt;
 use kube::runtime::{
     controller::{Action, Controller},
     watcher,
 };
-use kube::{Api, Client, api::ListParams};
-
-use log::{error, info};
-use thiserror::Error;
+use kube::{Api, Client};
+use log::{error, info, warn};
 
 use crds::ConfidentialCluster;
 mod reference_values;
 mod trustee;
 
-#[derive(Debug, Error)]
-enum Error {}
-
-#[derive(Clone)]
-struct ContextData {
-    #[allow(dead_code)]
-    client: Client,
-}
-
 const BOOT_IMAGE: &str = "quay.io/fedora/fedora-coreos:42.20250705.3.0";
 
-async fn list_confidential_clusters(client: Client) -> anyhow::Result<ConfidentialCluster> {
-    info!(
-        "Listing ConfidentialClusters in namespace '{}'",
-        client.default_namespace()
-    );
-    let api: Api<ConfidentialCluster> = Api::default_namespaced(client.clone());
-    let lp = ListParams::default();
-    let list = api.list(&lp).await?;
-    match list.items.len() {
-        0 => bail!("No confidential cluster resource found"),
-        1 => {
-            let item = &list.items[0];
-            info!(
-                "Found ConfidentialCluster: {}",
-                item.metadata.name.as_deref().unwrap_or("<no name>"),
-            );
-            Ok(item.clone())
-        }
-        _ => bail!("too many confidential cluster resources defined in the namespace"),
+async fn reconcile(
+    cocl: Arc<ConfidentialCluster>,
+    client: Arc<Client>,
+) -> Result<Action, operator::ControllerError> {
+    let name = cocl.metadata.name.as_deref().unwrap_or("<no name>");
+    if cocl.metadata.deletion_timestamp.is_some() {
+        info!("Registered deletion of ConfidentialCluster {name}");
+        return Ok(Action::await_change());
+    }
+    let kube_client = Arc::unwrap_or_clone(client);
+
+    let cocls: Api<ConfidentialCluster> = Api::default_namespaced(kube_client.clone());
+    let list = cocls.list(&Default::default()).await;
+    let cocl_list = list.map_err(Into::<anyhow::Error>::into)?;
+    if cocl_list.items.len() > 1 {
+        let namespace = kube_client.default_namespace();
+        warn!(
+            "More than one ConfidentialCluster found in namespace {namespace}. \
+              cocl-operator does not support more than one ConfidentialCluster. Requeueing...",
+        );
+        return Ok(Action::requeue(Duration::from_secs(60)));
     }
-}
 
-async fn reconcile(_g: Arc<ConfidentialCluster>, _ctx: Arc<ContextData>) -> Result<Action, Error> {
-    Ok(Action::requeue(Duration::from_secs(300)))
+    info!("Setting up ConfidentialCluster {name}");
+    install_trustee_configuration(kube_client, &cocl).await?;
+    Ok(Action::await_change())
 }
 
-async fn install_trustee_configuration(client: Client) -> Result<()> {
-    let cocl = list_confidential_clusters(client.clone()).await?;
+async fn install_trustee_configuration(client: Client, cocl: &ConfidentialCluster) -> Result<()> {
     let trustee_namespace = cocl.spec.trustee.namespace.clone();
 
     match trustee::generate_kbs_auth_public_key(
@@ -99,7 +89,7 @@ async fn install_trustee_configuration(client: Client) -> Result<()> {
     let rv_ctx = operator::RvContextData {
         client: client.clone(),
         trustee_namespace: trustee_namespace.clone(),
-        pcrs_compute_image: cocl.spec.pcrs_compute_image,
+        pcrs_compute_image: cocl.spec.pcrs_compute_image.clone(),
         rv_map: cocl.spec.trustee.reference_values.clone(),
     };
     reference_values::launch_rv_job_controller(rv_ctx.clone()).await;
@@ -185,22 +175,14 @@ async fn install_trustee_configuration(client: Client) -> Result<()> {
 async fn main() -> Result<()> {
     env_logger::Builder::from_env(Env::default().default_filter_or("info")).init();
 
-    let client = Client::try_default().await?;
-    let context = Arc::new(ContextData {
-        client: client.clone(),
-    });
+    let kube_client = Client::try_default().await?;
     info!("Confidential clusters operator",);
-    let cl = Api::<ConfidentialCluster>::default_namespaced(client.clone());
+    let cl = Api::<ConfidentialCluster>::default_namespaced(kube_client.clone());
 
-    tokio::spawn(install_trustee_configuration(client.clone()));
+    let client = Arc::new(kube_client);
     Controller::new(cl, watcher::Config::default())
-        .run::<_, ContextData>(reconcile, operator::controller_error_policy, context)
-        .for_each(|res| async move {
-            match res {
-                Ok(o) => info!("reconciled {o:?}"),
-                Err(e) => info!("reconcile failed: {e:?}"),
-            }
-        })
+        .run::<_, Client>(reconcile, operator::controller_error_policy, client)
+        .for_each(operator::controller_info)
         .await;
 
     Ok(())

operator/src/reference_values.rs

@@ -28,7 +28,9 @@ use serde::Deserialize;
 use std::{collections::BTreeMap, path::PathBuf, sync::Arc, time::Duration};
 
 use crate::trustee::{self, get_image_pcrs};
-use operator::{ControllerError, RvContextData, controller_error_policy, info_if_exists};
+use operator::{
+    ControllerError, RvContextData, controller_error_policy, controller_info, info_if_exists,
+};
 use rv_store::*;
 
 const JOB_LABEL_KEY: &str = "kind";
@@ -165,7 +167,7 @@ async fn job_reconcile(job: Arc<Job>, ctx: Arc<RvContextData>) -> Result<Action,
     jobs.delete(name, &DeleteParams::default())
         .await
         .map_err(Into::<anyhow::Error>::into)?;
-    trustee::recompute_reference_values(Arc::<RvContextData>::unwrap_or_clone(ctx)).await?;
+    trustee::recompute_reference_values(Arc::unwrap_or_clone(ctx)).await?;
     Ok(Action::await_change())
 }
 
@@ -178,12 +180,7 @@ pub async fn launch_rv_job_controller(ctx: RvContextData) {
     tokio::spawn(
         Controller::new(jobs, watcher)
             .run(job_reconcile, controller_error_policy, Arc::new(ctx))
-            .for_each(|res| async move {
-                match res {
-                    Ok(o) => info!("reconciled {o:?}"),
-                    Err(e) => info!("reconcile failed: {e:?}"),
-                }
-            }),
+            .for_each(controller_info),
     );
 }